I figure this is likely a good place as any for this Q.
I’m working on a SAN type driver that boots Windows
via a PXE environment (diskless system).
I need to incorporate a DeadMan timer/Restart policy
if I lose connectivity with remote Windows system disk.
Is there a DDK function that I can use to force a reboot ?
I can’t produce a BSOD because that too resides on a remote
SAN setup.
I’ve searched the DDK for this with zer0 success.
No, there is no call. Note rebooting involves user space efforts as well as
kernel, doing it in the kernel is not a good idea.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“JD” wrote in message news:xxxxx@windbg…
>I figure this is likely a good place as any for this Q.
>
> I’m working on a SAN type driver that boots Windows
> via a PXE environment (diskless system).
>
> I need to incorporate a DeadMan timer/Restart policy
> if I lose connectivity with remote Windows system disk.
>
> Is there a DDK function that I can use to force a reboot ?
> I can’t produce a BSOD because that too resides on a remote
> SAN setup.
>
> I’ve searched the DDK for this with zer0 success.
>
NtShutdownSystem might be what you are looking for. It is best if you
can attempt to initiate shutdown from user land but I am sure you would
have already thought of those.
If you call this, your user mode processes will not be notified of
shutdown hence any unsaved data will be lost. Read more about it at
http://support.microsoft.com/support/kb/articles/q279/1/34.asp
hth
Satya
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of JD
Sent: Friday, April 07, 2006 9:23 AM
To: Kernel Debugging Interest List
Subject: [windbg] DDK Call for rebooting ?
I figure this is likely a good place as any for this Q.
I’m working on a SAN type driver that boots Windows
via a PXE environment (diskless system).
I need to incorporate a DeadMan timer/Restart policy
if I lose connectivity with remote Windows system disk.
Is there a DDK function that I can use to force a reboot ?
I can’t produce a BSOD because that too resides on a remote
SAN setup.
I’ve searched the DDK for this with zer0 success.
You are currently subscribed to windbg as: xxxxx@appstream.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Well, it IS exported, so could be ok.
I belive this is the prototype.
If it works, let us know, could come in handy…
NTSYSAPI
NTSTATUS
NTAPI
NtShutdownSystem(IN SHUTDOWN_ACTION Action);
Parameters
Action
The action to be performed after shutdown. Permitted values are drawn from
the
enumeration SHUTDOWN_ACTION.
typedef enum _SHUTDOWN_ACTION {
ShutdownNoReboot,
ShutdownReboot,
ShutdownPowerOff
} SHUTDOWN_ACTION;
Return Value
Returns STATUS_SUCCESS or an error status, such as
STATUS_PRIVILEGE_NOT_HELD.
“JD” wrote in message news:xxxxx@windbg…
>I figure this is likely a good place as any for this Q.
>
> I’m working on a SAN type driver that boots Windows
> via a PXE environment (diskless system).
>
> I need to incorporate a DeadMan timer/Restart policy
> if I lose connectivity with remote Windows system disk.
>
> Is there a DDK function that I can use to force a reboot ?
> I can’t produce a BSOD because that too resides on a remote
> SAN setup.
>
> I’ve searched the DDK for this with zer0 success.
>
Don Burn wrote:
No, there is no call. Note rebooting involves user space efforts as well as
kernel, doing it in the kernel is not a good idea.
When I lose access to the system disk,
new processes can’t be started, and likely
current processes won’t be able to fault in new text
or data segments in … So in reality I can’t
use user space components.
If Windows provides a means of locking a program
in memory (like UNIX SVR4 )so all available
text/data is available I may get away with something
like a deadman timer process.
Satya Das wrote:
NtShutdownSystem might be what you are looking for. It is best if you
can attempt to initiate shutdown from user land but I am sure you would
have already thought of those.If you call this, your user mode processes will not be notified of
shutdown hence any unsaved data will be lost. Read more about it athttp://support.microsoft.com/support/kb/articles/q279/1/34.asp
Thanks. I don’t have filesystem access so cached data is toast.
jim wrote:
Well, it IS exported, so could be ok.
I belive this is the prototype.
If it works, let us know, could come in handy…
Will do ! come monday 
.
Have a user mode service that initiates the shutdown based on feedback
from your driver. Much nicer and easier to implement then using
undocumented KM exports.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of JD
Sent: Friday, April 07, 2006 4:20 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] DDK Call for rebooting ?
Don Burn wrote:
No, there is no call. Note rebooting involves user space efforts as
well as
kernel, doing it in the kernel is not a good idea.
When I lose access to the system disk,
new processes can’t be started, and likely
current processes won’t be able to fault in new text
or data segments in … So in reality I can’t
use user space components.
If Windows provides a means of locking a program
in memory (like UNIX SVR4 )so all available
text/data is available I may get away with something
like a deadman timer process.
You are currently subscribed to windbg as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Doron Holan wrote:
Have a user mode service that initiates the shutdown based on feedback
from your driver. Much nicer and easier to implement then using
undocumented KM exports.d
thx … but Can’t be usermode because the filesystem is no longer
available.
So? The service is started when the OS starts. If the FS isn’t
available then, you have bigger problems. There is a linker flag which
says you run over the network, use that and the app won’t be paged out.
Or to get more evil, you could try to lock down the app from the driver
given a handle to the device.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of JD
Sent: Friday, April 07, 2006 6:02 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] DDK Call for rebooting ?
Doron Holan wrote:
Have a user mode service that initiates the shutdown based on feedback
from your driver. Much nicer and easier to implement then using
undocumented KM exports.d
thx … but Can’t be usermode because the filesystem is no longer
available.
You are currently subscribed to windbg as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Could you point me to a link about this ?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Friday, April 07, 2006 7:12 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
There is a linker flag which says you run over the network, use that and
the app won’t be paged out.
d
A quick run of “link /?” shows a command option “/swaprun:[cd|net]”. A
search of swaprun turns up several links about this (e.g.,
http://msdn2.microsoft.com/en-US/library/chzz5ts6(VS.80).aspx) which may
be what you are looking for…
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Satya Das
Sent: Sunday, April 09, 2006 3:19 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
Could you point me to a link about this ?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Friday, April 07, 2006 7:12 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
There is a linker flag which says you run over the network, use that and
the app won’t be paged out.
d
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
But /SWAPRUN does not prevent paging out. The OP, I presume, has
pagefile on the network too.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Sunday, April 09, 2006 4:40 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
A quick run of “link /?” shows a command option “/swaprun:[cd|net]”. A
search of swaprun turns up several links about this (e.g.,
http://msdn2.microsoft.com/en-US/library/chzz5ts6(VS.80).aspx) which may
be what you are looking for…
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Satya Das
Sent: Sunday, April 09, 2006 3:19 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
Could you point me to a link about this ?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Friday, April 07, 2006 7:12 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
There is a linker flag which says you run over the network, use that and
the app won’t be paged out.
d
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Paging files cannot be on the network - they must be on the local drive
(or at least on something claiming to be a local drive.) This is
precisely because of the need to have some storage that doesn’t “go
away” when the network goes away (and networks can suffer transient
failures - we don’t really want the computer to crash when they do
suffer from such failures.)
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Satya Das
Sent: Monday, April 10, 2006 2:00 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
But /SWAPRUN does not prevent paging out. The OP, I presume, has
pagefile on the network too.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Sunday, April 09, 2006 4:40 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
A quick run of “link /?” shows a command option “/swaprun:[cd|net]”. A
search of swaprun turns up several links about this (e.g.,
http://msdn2.microsoft.com/en-US/library/chzz5ts6(VS.80).aspx) which may
be what you are looking for…
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Satya Das
Sent: Sunday, April 09, 2006 3:19 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
Could you point me to a link about this ?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Friday, April 07, 2006 7:12 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
There is a linker flag which says you run over the network, use that and
the app won’t be paged out.
d
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Well it is disk on SAN and of course I did not care about the lying.
There is no rule that says paging files have to be on local disk. Linux
allows swap file over NFS, not sure how much lying is involved but to me
(you may disagree), that means the pagefile is on network.
Satya
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Monday, April 10, 2006 3:38 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
Paging files cannot be on the network - they must be on the local drive
(or at least on something claiming to be a local drive.) This is
precisely because of the need to have some storage that doesn’t “go
away” when the network goes away (and networks can suffer transient
failures - we don’t really want the computer to crash when they do
suffer from such failures.)
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Satya Das
Sent: Monday, April 10, 2006 2:00 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
But /SWAPRUN does not prevent paging out. The OP, I presume, has
pagefile on the network too.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Sunday, April 09, 2006 4:40 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
A quick run of “link /?” shows a command option “/swaprun:[cd|net]”. A
search of swaprun turns up several links about this (e.g.,
http://msdn2.microsoft.com/en-US/library/chzz5ts6(VS.80).aspx) which may
be what you are looking for…
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Satya Das
Sent: Sunday, April 09, 2006 3:19 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
Could you point me to a link about this ?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Friday, April 07, 2006 7:12 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] DDK Call for rebooting ?
There is a linker flag which says you run over the network, use that and
the app won’t be paged out.
d
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Well, you can assert that paging files are supported by network file
systems, but that doesn’t make it true. Only FAT/NTFS support paging
files and they only work on local drives (or things that *report* to be
local drives.) If you manually force the system to try and open a
paging file over RDR (by manually inserting the entry into the registry)
it will fail.
And quoting a different operating system in order to infer the rules for
Windows makes no sense to me. If your question is “could the Windows
team have supported paging files on the network” the answer would have
been “of course, but they decided not to do so.” Similarly, if a disk
subsystem is implemented over the network and reports itself to be local
storage, then the file systems will treat it like a local drive and by
the time this percolates to the Memory Manager it will be treated like a
local file on a local drive. But there’s little we can do to protect
against Byzantine situations in a single level trust model.
Bottom line: I don’t care about where the paging file is or why the MS
folks decided to put it there. I merely tried to point to the flag that
Doron mentioned. If that isn’t sufficient for your purposes then you’ll
need to explore other possibilities - and there are plenty of other
possibilities. Heck, if you want, build a file system filter driver and
pin the entire executable into the cache. That would work for small
executable images without much system impact (maybe a few MB) but if you
want to pin down lots of things (or one big thing) that’s not a good
solution. As is so often the case in this business, the solution is
often very dependent upon the scenario and situation. While I’m sure
you think there should be a simple solution, there may not be because of
the constraints on your problem (no local storage, all drives are on a
SAN and may randomly disappear and you want the system to work properly,
etc.)
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Doron Holan wrote:
So? The service is started when the OS starts. If the FS isn’t
available then, you have bigger problems.
If you can’t comprehend the state, I really can’t explain it any more.
JD wrote:
jim wrote:
> Well, it IS exported, so could be ok.
> I belive this is the prototype.
> If it works, let us know, could come in handy…
>
Will do ! come monday
That Nt* function is pretty much undocumented, and also requires the
SE_SHUTDOWN_PRIVILEGE. However, since you are in kernel-mode, that
shouldn’t be a problem. Nevertheless, Nt/Zw* functions are native, so if
they are undocumented they usually have a tendency for changing between
releases, or there is a specific reason why they’re not documented. Also
you should be aware of IRQL considerations. Many native functions exist
in PAGED_CODE, so calling them might end up in a catastrophe. If
undocumented APIs are the way you’re going to go, I’d much rather
suggest using:
NTHALAPI
VOID
NTAPI
HalReturnToFirmware(
FIRMWARE_REENTRY Action
);
with
//
// HalShutdownSystem Types
//
typedef enum _FIRMWARE_REENTRY
{
HalHaltRoutine,
HalPowerDownRoutine,
HalRestartRoutine,
HalRebootRoutine,
HalInteractiveModeRoutine,
HalMaximumRoutine
} FIRMWARE_REENTRY, *PFIRMWARE_REENTRY;
The usage of a unoducmented HAL function gives you some aditional
security over using an undocumented native function, in terms of the
function not changing, as well as in the fact that you can be sure it’s
accessible from HIGH_LEVEL and skips all the security checks which are
largely irrelevant in your case.
Nevertheless, you should defintely try having something in user-mode
that listens for a notification and does ExitWindows instead. The reason
that rebooting/shutting down isn’t exported to drivers is because it’s
an extremly rude thing to do to your users, apart from the other
possible considerations. Imagine if some video driver decided it was
time to reboot your system for a reason you’re never told about 
Best regards,
Alex Ionescu
I thought about chopping most of that, but I figured I’d leave it as a
good example of how to answer a question the OP didn’t ask.
He’s trying to restart the system because the network storage, which is
the only available storage, is gone. (I think) the design goal is to
reboot rudely instead of BSOD rudely. When you have no storage in which
to gracefully save your state, is there really any difference, except that
it *might* appear a bit smoother to restart? The OP certainly can’t give
the user the opportunity to save anything, since that would entail faking
the save, and the data is gone, anyway. So other than the brief
appearance of a BSOD followed immediately by the system boot, there’s no
functional difference.
This is just for a kiosk or some other read-only application, right? You
don’t actually expect anyone to use this for any data they want to keep?
Phil
Philip D. Barila
Seagate Technology LLC
(720) 684-1842
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Ionescu
[397670]
Sent: Monday, April 10, 2006 6:47 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] DDK Call for rebooting ?
JD wrote:
jim wrote:
> Well, it IS exported, so could be ok.
> I belive this is the prototype.
> If it works, let us know, could come in handy…
>
Will do ! come monday
That Nt* function is pretty much undocumented, and also requires the
SE_SHUTDOWN_PRIVILEGE. However, since you are in kernel-mode, that
shouldn’t be a problem. Nevertheless, Nt/Zw* functions are native, so if
they are undocumented they usually have a tendency for changing between
releases, or there is a specific reason why they’re not documented. Also
you should be aware of IRQL considerations. Many native functions exist
in PAGED_CODE, so calling them might end up in a catastrophe. If
undocumented APIs are the way you’re going to go, I’d much rather
suggest using:
NTHALAPI
VOID
NTAPI
HalReturnToFirmware(
FIRMWARE_REENTRY Action
);
with
//
// HalShutdownSystem Types
//
typedef enum _FIRMWARE_REENTRY
{
HalHaltRoutine,
HalPowerDownRoutine,
HalRestartRoutine,
HalRebootRoutine,
HalInteractiveModeRoutine,
HalMaximumRoutine
} FIRMWARE_REENTRY, *PFIRMWARE_REENTRY;
The usage of a unoducmented HAL function gives you some aditional
security over using an undocumented native function, in terms of the
function not changing, as well as in the fact that you can be sure it’s
accessible from HIGH_LEVEL and skips all the security checks which are
largely irrelevant in your case.
Nevertheless, you should defintely try having something in user-mode
that listens for a notification and does ExitWindows instead. The reason
that rebooting/shutting down isn’t exported to drivers is because it’s
an extremly rude thing to do to your users, apart from the other
possible considerations. Imagine if some video driver decided it was
time to reboot your system for a reason you’re never told about
Best regards,
Alex Ionescu
You are currently subscribed to windbg as: xxxxx@seagate.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Umm… There is no linker flag that I can find that will lock the file
in RAM with no paging out.
Additionally jrichter mentions (at the URL below) that the loader checks
if the file is indeed on the network before doing its special magic for
/swaprun:net option
http://www.microsoft.com/msj/0398/win320398.aspx
It does not seem like this is an alternative solution for OP’s issue.